SSG Guides

Cloud Security Standards Policy

Suggest Edits
  1. Purpose
    This policy establishes security guidelines for protecting Melrose Labs' cloud infrastructure, ensuring confidentiality, integrity, and availability of cloud-hosted services and data.
  2. Scope
    Applies to all cloud services, including Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) used by Melrose Labs.
  3. Cloud Security Principles
    • Confidentiality: Protecting data from unauthorized access through encryption and access controls.
    • Integrity: Ensuring data accuracy and preventing unauthorised modifications.
    • Availability: Maintaining resilience against outages and attacks.
  4. Access Control & Identity Management
    • Multi-Factor Authentication (MFA) is required for all administrative and privileged cloud accounts.
    • Role-based access control (RBAC) ensures least privilege access.
    • Regular access reviews are conducted per the IT Security Policy.
  5. Data Protection & Encryption
    • Data at rest is encrypted using industry-standard AES-256 encryption.
    • Data in transit is encrypted using TLS 1.2+ and AES-256-GCM.
    • Sensitive workloads and customer data are segregated to prevent unauthorised cross-access.
  6. Network Security & Connectivity
    • Virtual Private Cloud (VPC) configurations are enforced for isolation.
    • Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) are implemented.
    • Secure tunneling (VPN, SSH) is required for remote administrative access.
  7. Resilience & Disaster Recovery
    • Cloud systems adhere to the Disaster Recovery Plan (DRP) for failover and restoration.
    • High-availability architectures with load balancing are implemented where required.
    • Automated backup strategies follow the Backup Policy.
  8. Monitoring & Incident Response
    • Continuous security monitoring is conducted via SIEM (Security Information and Event Management).
    • Automated alerts detect unauthorized access and policy violations.
    • Security incidents are handled per the Incident Response Plan.
  9. Compliance & Review
    • Cloud security configurations align with ISO 27001, GDPR, and other regulatory standards.
    • Security audits and penetration testing are performed regularly.
    • This policy is reviewed annually to ensure alignment with evolving threats and best practices.

Updated 22 days ago